Jekyll2018-09-26T03:48:41+00:00http://robertlemos.com/Robert LemosJournalist, data researcher and technology writerRobert Lemosmail-at-robertlemos-dot-comMore love for the blog2018-09-23T18:10:00+00:002018-09-23T18:10:00+00:00http://robertlemos.com/blog/more-love-for-blogging<p>Anyone who has tried to maintain a blog for awhile knows that the marathon of
writing and focus needed to keep a blog fresh requires a great deal of sustained
effort. Even so, six months between blog posts is a bit much. So I’m working on
changing that. (Note, there are other posts on the blog from less than six months
ago, but that’s because I’ve back posted some older articles.)</p>
<p>I’ve been working on improving my blog, which runs on the Jekyll static engine,
by modifying the <a href="https://github.com/mmistakes/so-simple-theme">So Simple theme</a>
that it uses to do more of what I want and moving it from free hosting as a
Github project to a running in a Docker container on Digital Ocean.</p>
<p>Part of my reason for taking on the task is to automate as much of the process as
possible as I push toward incorporating a DevOps mentality into what I do.
Once the automation is complete–and likely, by the time this blog is made
public, it will be complete–it will make it far more likely that I keep up with
the grind needed to keep the content fresh, because it takes out much of the day-to-day administration of getting posts posted.</p>
<p>I’ve always thought that writing was hard enough to do when you are getting paid
for it. In reality, if you are not writing when you are not getting paid for it,
then perhaps you should not be writing at all.</p>
<blockquote>
<p>“A writer is someone for whom writing is more difficult than it is for other people.”</p>
<ul>
<li><cite>Thomas Mann, Essays of Three Decades</cite></li>
</ul>
</blockquote>Robert Lemosmail-at-robertlemos-dot-comAnyone who has tried to maintain a blog for awhile knows that the marathon of writing and focus needed to keep a blog fresh requires a great deal of sustained effort. Even so, six months between blog posts is a bit much. So I’m working on changing that. (Note, there are other posts on the blog from less than six months ago, but that’s because I’ve back posted some older articles.)Containers under attack: What your app sec team needs to know2018-09-05T12:10:00+00:002018-09-05T12:10:00+00:00http://robertlemos.com/articles/containers-under-attack<p>As a network-penetration expert, Wesley McGrew regularly runs red-team exercises against the networks of his clients, and increasingly he is seeing containerized applications being targeted.</p>
<p>While containers bring the benefits of standardization, isolation, and the principle of least privilege to the development of cloud-based software, they can be a boon for attackers. Containerized applications don’t necessarily introduce any new vulnerabilities, but they do present additional attack vectors.</p>
<p>Continued at: <a href="https://techbeacon.com/containers-under-attack-what-your-app-sec-team-needs-know"><em>Containers under attack: What your app sec team needs to know</em> — TechBeacon</a></p>Robert Lemosmail-at-robertlemos-dot-comWhile containers bring the benefits of standardization, isolation, and the principle of least privilege to the development of cloud-based software, they can be a boon for attackers. Containerized applications don't necessarily introduce any new vulnerabilities, but they do present additional attack vectors.Overwhelmed by security data? Science to the rescue2018-08-15T12:10:00+00:002018-08-15T12:10:00+00:00http://robertlemos.com/articles/overwhelmed-by-security-data<p>When Charles Givre, lead data scientist at Deutsche Bank, teaches security teams about the benefits of applying security data science techniques, he often focuses on a common malware tactic: domain-generation algorithms.</p>
<p>Used by malicious programs to establish contact with a command-and-control server, domain-generation algorithms, or DGAs, create a list of domain names as potential contact points using pseudo-random algorithms. The domains change often – usually daily – and can look random or use random words.</p>
<p>For humans, finding a single computer’s call to a random domain is a difficult problem. Yet data analysis can quickly call out the anomalous communications.</p>
<p>…</p>
<p>Continued at: <a href="https://searchsecurity.techtarget.com/feature/Overwhelmed-by-security-data-Science-to-the-rescue"><em>Overwhelmed by security data? Science to the rescue</em> — TechTarget</a></p>Robert Lemosmail-at-robertlemos-dot-comSecurity teams increasingly use large data sets from their networks to find hidden threats. Why companies should embark on their own data science and machine learning initiatives.The Race to Build a Cybersecurity Workforce2018-03-19T12:10:00+00:002018-03-19T12:10:00+00:00http://robertlemos.com/articles/cybersecurity-workforce<p>Secureworks can’t hire cybersecurity pros fast enough.</p>
<p>The Atlanta-based firm that helps 4,400 companies worldwide fend off cyberattacks has about 140 openings at more than a dozen locations globally. Yet filling those positions has become a grueling—and often impossible—task. The company goes through 12 to 32 interviews just to fill a single analyst position, and the time it takes to find the right candidate continues to lengthen, says Terry McGraw, vice president of global cyberthreat analysis for Secureworks.</p>
<p>…</p>
<p>Continued at: <a href="https://www.cxo-magazine.com/report/the-race-to-build-a-cyber-workforce/"><em>The Race to Build a Cybersecurity Workforce</em> — CXO Magazine</a></p>Robert Lemosmail-at-robertlemos-dot-comSecureworks can't hire cybersecurity pros fast enough. The Atlanta-based firm that helps 4,400 companies worldwide fend off cyberattacks has about 140 openings at more than a dozen locations globally. Yet filling those positions has become a grueling—and often impossible—task.Major changes on the way2018-03-18T12:10:00+00:002018-03-18T12:10:00+00:00http://robertlemos.com/blog/major-changes-coming<p>This year has been an exciting one so far. I’ve tackled a number of data-analysis projects, including investigating data on the cybersecurity workforce shortfall and a deep dive into the National Vulnerability Database.</p>
<p>Some of the cybersecurity workforce data ended up in <a href="http://www.cxo-magazine.com/reports/closing-the-cybersecurity-talent-gap/the-race-to-build-a-cyber-workforce">my feature article for CXO Magazine</a>, a publication of Northeastern University.</p>
<p>I’m working on a couple other data analysis projects. Some will end up in reports, and I will post more here when they are published.</p>
<p>I’m also working on revising all my Web sites, so expect more changes here.</p>Robert Lemosmail-at-robertlemos-dot-comThis year has been an exciting one so far. I've tackled a number of data-analysis projects, including investigating data on the cybersecurity workforce shortfall and a deep dive into the National Vulnerability Database.Recent ransomware attacks: Is it an epidemic or overblown?2017-10-02T12:10:00+00:002017-10-02T12:10:00+00:00http://robertlemos.com/articles/ransomware-epidemic-or-overblown<p>Major news organizations stated that cybercriminals had raked in more than $209 million from ransomware victims in the first quarter of 2016, more than an eight-fold increase compared to the entire previous year. Citing data from the FBI, CNN predicted that 2016 would see cybercriminals collect more than $1 billion in profits from recent ransomware attacks by the end of the year. Both the Los Angeles Times and Reuters cited the $209 million figure, the Times calling it profits and Reuters portraying it as damages.</p>
<p>The origin of that number is a mystery, however.</p>
<p>Continued at: <a href="https://searchsecurity.techtarget.com/feature/Recent-ransomware-attacks-Is-it-an-epidemic-or-overblown"><em>Recent ransomware attacks: Is it an epidemic or overblown?</em> — TechTarget</a></p>Robert Lemosmail-at-robertlemos-dot-comUntil WannaCry and NotPetya, estimates of ransomware cost and damages were likely overblown. But indications are that companies lost hundreds of millions from these malicious attacks alone.Cite your sources2017-04-23T12:10:00+00:002017-04-23T12:10:00+00:00http://robertlemos.com/analysis/cite-your-sources<p>Every week – if not every day – I come across reports that quote a data point with very little information about the source. Here is a recent one (the data point is also in the press release):</p>
<blockquote>
<p>A recent Forrester Research report called attention to open source’s preeminence in application development, with custom code comprising only 10% to 20% of applications.</p>
<ul>
<li>Black Duck’s <a href="https://www.blackducksoftware.com/open-source-security-risk-analysis-2017"><em>2017 Open Source Security and Risk Analysis</em></a>, p. 5.</li>
</ul>
</blockquote>
<p>The first problem I have with the data point is that there is no citation or link for the source of the data. The second problem I have is that – and this took far more digging than is warranted – the 10 to 20 percent number is <strong>not even from Forrester Research</strong>.</p>
<p>Now, this is not about picking on one company. Both in my role as a journalist, and as a data scientist helping companies analyze data to produce internal and public reports, I often run into this problem. I’m hoping by highlighting the issues that companies will be more careful.</p>
<p>So lets track this one back. And a note on terminology: If the paper gives a full citation, then I will use the verb “cite;” if they give vague information, I will describe that as “sourcing;” and if they give no information, I will label that “unsourced.”</p>
<h3 id="1-black-ducks-report-sourced-a-forrester-report-but-with-no-citation">1. Black Duck’s report sourced a Forrester report but with no citation</h3>
<p>While the press release used the data point without a source, the report itself referred to “Forrester Research.” After a few searches, I found <a href="https://www.bsminfo.com/doc/forrester-wave-report-highlights-the-clear-prominence-of-open-source-0001">this March 2017 article</a>, which mentions the same data point and links to the <a href="https://www.forrester.com/report/The+Forrester+Wave+Software+Composition+Analysis+Q1+2017/-/E-RES136463"><em>The Forrester Wave™: Software Composition Analysis, Q1 2017</em></a>. (Note: The article above essentially rewrites <a href="http://www.businesswire.com/news/home/20170223006024/en/Open-Source-Security-Provider-Black-Duck-%E2%80%9CLeader%E2%80%9D">a press release</a> from a couple weeks before.)</p>
<h3 id="2-citing-a-non-public-report-generally-does-not-help">2. Citing a non-public report generally does not help</h3>
<p>The Forrester Report lists for $2,495. However, these reports are generally available publicly. Searching for the title and PDF filetype redirected me to <a href="https://www.blackducksoftware.com/forrester-software-composition-analysis-q1-2017">a Black Duck landing page</a> that hosted the Forrester report. Turns out, Black Duck sponsored the Forrester report that named them a leader in the industry. This is not uncommon for any industry report.</p>
<blockquote>
<p>In their haste to create applications, developers use open source components as their foundation, creating applications using only 10% to 20% new code.</p>
<ul>
<li><a href="https://www.blackducksoftware.com/forrester-software-composition-analysis-q1-2017"><em>The Forrester Wave™: Software Composition Analysis, Q1 2017</em></a></li>
</ul>
</blockquote>
<h3 id="3-the-forrester-report-actually-cites-sonatype-research">3. The Forrester report actually cites Sonatype research</h3>
<p>So, here’s the rub: The Forrester report is not the source for the data point. The report cites a Sonatype report from 2015 <a href="http://cdn2.hubspot.net/hubfs/1958393/White_Papers/2015_State_of_the_Software_Supply_Chain_Report-.pdf?t=1466775053631">with a link</a>. (Kudos to Forrester Research for the link.)</p>
<p>One problem, however, is that finding the number in the 33-page report is not easy. Searching for “10 to 20 percent” doesn’t return anything, even searching through all the “10” entries does not work either. The reason is that the original data point is:</p>
<blockquote>
<p>[I]n the software supply chain, where an average of 106 components comprise 80-90% of the total application, few organizations have visibility into what components were used and where.</p>
<ul>
<li><a href="http://cdn2.hubspot.net/hubfs/1958393/White_Papers/2015_State_of_the_Software_Supply_Chain_Report-.pdf?t=1466775053631">2015 State of the Software Supply Chain Report</a>, p. 22.</li>
</ul>
</blockquote>
<p>The point is also mentioned on page 5. (It was around this point that I decided this would make a good blog post.)</p>
<p>The trail did not stop here, of course. Sonatype cited older research in both instances.</p>
<h3 id="4-sonatype-report-cites-ongoing-application-health-check-data-circa-2013-2014">4. Sonatype report cites ongoing Application Health Check data (circa 2013-2014)</h3>
<p>The 33-page Sonatype report cited (in an endnote) its own data: For the citation on page 5, “Sonatype research including Application Health Checks and Open Source surveys, 2013 – 2014,” and for the citation on page 22, “Sonatype, 2014 analysis of Application Health Check results.”</p>
<p>Unfortunately, none of the Application Health Check results are contained in a standalone report. Some results are quoted in a slide deck, or what appears to be the notes to a slide deck.</p>
<p>While there is no reason to doubt the veracity of the data, discovering its provenance was certainly a chore.</p>
<p>Two final points:</p>
<ul>
<li>A data point that was supposed to be “recent” <strong>actually came from data from 2013 or 2014</strong>. The data might even be older, as a <a href="https://www.cnet.com/news/forrester-survey-discovers-that-virtually-no-one-uses-open-source/">2008 CNET News.com piece</a> referred to a Gartner prediction:
<blockquote>
<p>Earlier this year, Gartner’s Mark Driver noted the following: By 2012, 80 percent or more of all commercial software will include elements of open-source technology.</p>
<ul>
<li>Source is ComputerWorld UK (broken link), according to <a href="https://www.cnet.com/news/forrester-survey-discovers-that-virtually-no-one-uses-open-source/">CNET News.com</a></li>
</ul>
</blockquote>
</li>
<li>Without more information, it is hard to decide what to make of, for example, Black Duck’s finding that:
<blockquote>
<p>On average, open source comprised 36% of the code base in these applications. This is a lower percentage than cited by Forrester, a reflection of the mature application codebases that are typically the focus of Black Duck audits.</p>
<ul>
<li>Black Duck’s <a href="https://www.blackducksoftware.com/open-source-security-risk-analysis-2017"><em>2017 Open Source Security and Risk Analysis</em></a>, p. 5.</li>
</ul>
</blockquote>
</li>
</ul>
<p><strong>Next week:</strong> Heard that ransomware caused $209 million in losses in Q1 2016? <a href="/articles/ransomware-epidemic-or-overblown/">It didn’t.</a></p>Robert Lemosmail-at-robertlemos-dot-comDigging into a data point that has minimal citation finds it is more three years older than expected and came from a completely different source.Two decades2017-04-13T19:37:00+00:002017-04-13T19:37:00+00:00http://robertlemos.com/blog/two-decades<p>February 2017 marked a major anniversary for me: Two straight decades as a journalist and writer.</p>
<p>With the constant crunch of work and life, I missed even thinking about it until I sat down to write up a blog post.</p>
<p>In February 1997, I returned from Tokyo and landed in San Francisco to take up a job with what – for a short time (weeks) – was known as PC Week Online. It then became ZDNet News. About 4 years later, the company was bought by CNET, and I joined News.com. While I had worked for a little more than a year as a reporter and editor in Japan, I had worked in engineering for a while before deciding to dedicate myself to writing.</p>
<p>Journalism has suited me, because I enjoy research. I also enjoy writing, but it has always been a struggle to overcome the blocks that the mind throws in your path. Age and experience has just meant that I understand the challenges more and have found ways to undermine the tricks my subconscious plays on me to sap my productivity.</p>
<p>Overall, it’s been a great run. I would conservatively estimate that I’ve written at least 4,000 articles and won a half dozen awards. Who knows what the future holds? For now, however, I continue to write.</p>Robert Lemosmail-at-robertlemos-dot-comFebruary 2017 marked a major anniversary for me: Two straight decades as a journalist and writer.Month in review: No privacy for home computers, and the end of ‘trustworthy’ ransomware?2016-07-05T15:44:00+00:002016-07-05T15:44:00+00:00http://robertlemos.com/articles/week-in-review-no-privacy<p>It’s amazing how quickly a month can pass and how easily a commitment to regularly update your blog goes by the wayside. The past month, I’ve written more than a dozen articles, but two that deal with important events stand out.</p>
<p>The ruling by Senior U.S. District Judge Henry Coke Morgan Jr. allowing the FBI to use a single warrant to run information gathering tools on the systems of suspected criminals that browse, in the current case, a site with illict images. Judge Morgan <a href="http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html">even stated</a> that a warrant is unnecessary because of the type of crime being investigated and because users should have no “objectively reasonable expectation of privacy.”</p>
<p>I’ll let the judge explain his reasoning:</p>
<blockquote>
<p>[H]acking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public’s reasonable expectations of privacy. Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: In today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked.</p>
<p>— <cite>Senior U.S. District Judge Henry Coke Morgan Jr.</cite></p>
</blockquote>
<p>While the specific ruling applies to a limited subset of information — the IP address and system data of the suspect — the technique could easily be used to gain more intelligence. The Electronic Frontier Foundation believes the ruling will likely be overturned, but it does show that privacy has become a race to the bottom.</p>
<p>In a similar way, ransomware criminals may be starting their own race to the bottom. They are acting out the Tragedy of the Commons, a parable of individuals making the best short-term decision for themselves, but which has long-term poor consequences for the group. In a statement to local press, Kansas Heart Hospital, a ransomware victim, claimed it had paid a ransom for its data and the criminals asked for more money before turning over the keys to the rest of the hospital’s systems.</p>
<p>Such double-dipping, if it continues, will <a href="http://www.pcworld.com/article/3083772/security/how-greed-could-destroy-the-ransomware-racket.html">erode the trust</a> that victims have placed in ransomware operators to date, which could spell the beginning of the end for the scam.</p>
<ul>
<li>“Home Computers Connected to the Internet Aren’t Private, Court Rules,” <a href="http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html"><em>eWEEK</em></a></li>
<li>“How greed could destroy the ransomware racket,” <a href="http://www.pcworld.com/article/3083772/security/how-greed-could-destroy-the-ransomware-racket.html"><em>PCWorld</em></a></li>
</ul>
<p><em>Week (Month) in Review is where I highlight articles that I’ve written and that have been published in the last week.</em></p>Robert Lemosmail-at-robertlemos-dot-comIt’s amazing how quickly a month can pass and how easily a commitment to regularly update your blog goes by the wayside. The past month, I’ve written more than a dozen articles, but two that deal with important events stand out.Week in review: Breach losses no biggie2016-05-30T12:10:00+00:002016-05-30T12:10:00+00:00http://robertlemos.com/articles/week-in-review-breach-losses<p>Phishing is one of those problems that the security industry is not going to solve. However, they are making it tougher.</p>
<p>The Anti-Phishing Working Group <a href="http://www.eweek.com/security/phishers-creating-more-noise-to-fool-defenses.html">released its quarterly report this week</a>. It took a bit to digest because it had some errors in its analysis, but the most significant data point seems to be that the number of Web pages created as a landing page for phishing attacks has skyrocketed. While that at first seems threatening, and the APWG appears to read it that way, it could be the opposite. If the attackers are reacting to better defenses and quicker takedowns of their sites by churning through many more URLs, then that is a success, of sorts.</p>
<p>I also took a look a breach data this week. The data does seem to suggest that, while companies are increasingly punished for big breaches, their losses – along with moderate customer churn - appear to have a small impact on the companies in the medium and long term.</p>
<blockquote>
<p>Sure they feel the pain, and some stock prices have gone down, but no one has really felt a lot of pain.
— Lillian Ablon, cyber-security and emerging technologies analyst at RAND</p>
</blockquote>
<p>This is not necessarily a new finding, but as more breaches cause havoc at firms, seeing whether the trend holds will be interesting.</p>
<ul>
<li>“Phishers Creating More Noise to Fool Defenses,” <a href="http://www.eweek.com/security/phishers-creating-more-noise-to-fool-defenses.html"><em>eWEEK</em></a></li>
<li>“Huge Data Breach Losses Aren’t Forcing Companies to Bolster Security,” <a href="http://www.eweek.com/security/huge-data-breach-losses-arent-forcing-companies-to-bolster-security.html"><em>eWEEK</em></a></li>
</ul>
<p><em>Week in Review is where I highlight articles that I’ve written and that have been published in the last week.</em></p>Robert Lemosmail-at-robertlemos-dot-comPhishing is one of those problems that the security industry is not going to solve. However, they are making it tougher.